Hybrid mobile apps could be ticking security time bomb

Hybrid mobile apps, which are forecast by Gartner to account for half of all mobile apps by 2016, pose significant security risks, warns ICSA Labs.

Researchers at Syracuse University have demonstrated how hybrid apps based on HTML5 are more susceptible to code injection than native apps, which could result in personal information being captured and sent to an attacker and the app spreading its malware to a victim's contacts through SMS text messaging, the security testing lab explains.

"Unlike native apps that just display the would-be malicious code, the HTML5-based app, depending on the Javascript API, executes that code. The findings were consistent across all of the HTML5 based app development frameworks tested at Syracuse," writes Jack Walsh, mobility program manager at ICSA Labs, in a blog.

"The researchers at Syracuse list some of the Javascript APIs that may be vulnerable to such attacks. Enterprises developing HTML5 based apps should become familiar with them and carefully weigh the risk of using them in their hybrid apps," Walsh advises.

In an interview with FierceMobileIT, Walsh explains that hybrid apps are HTML5 and Javascript that are inside a container that can run across different types of mobile operating systems.

"If you are developing these hybrid apps, you have to take steps to consider which APIs you are using because in some cases the API renders [displays] the way a native app would but in some cases it also executes" code that could be malicious, Walsh says.

Comments

Join 55,000+ InsidersSIGN UP FOR OURNEWSLETTER

FierceMobileIT provides tools, tips and case studies on how to deploy the latest wireless technologies in the enterprise. Join 55,000+ CIOs and senior IT managers who subscribe to our free daily email briefing. Sign up today!

THE LIBRARY: WEBINAR

Facing competition from disruptors like Apple, PayPal and Alibaba, banks are racing to demonstrate that they can provide customers with hi-tech, high-touch financial services. Yet one of the most critical elements to enabling any transaction, authentication, often still relies on paper-based or in-person processes that erase the efficiency gains of online and mobile services.Reserve Your Spot Today!